LXR linux/net/netfilter/xt

   1/*
   2 * Kernel module to match various things tied to sockets associated with
   3 * locally generated outgoing packets.
   4 *
   5 * (C) 2000 Marc Boucher <marc@mbsi.ca>
   6 *
   7 * Copyright © CC Computer Consultants GmbH, 2007 - 2008
   8 *
   9 * This program is free software; you can redistribute it and/or modify
  10 * it under the terms of the GNU General Public License version 2 as
  11 * published by the Free Software Foundation.
  12 */
  13#include <linux/module.h>
  14#include <linux/skbuff.h>
  15#include <linux/file.h>
  16#include <net/sock.h>
  17#include <linux/netfilter/x_tables.h>
  18#include <linux/netfilter/xt_owner.h>
  19
  20static bool
  21owner_mt(const struct sk_buff *skb, const struct xt_match_param *par)
  22{
  23        const struct xt_owner_match_info *info = par->matchinfo;
  24        const struct file *filp;
  25
  26        if (skb->sk == NULL || skb->sk->sk_socket == NULL)
  27                return (info->match ^ info->invert) == 0;
  28        else if (info->match & info->invert & XT_OWNER_SOCKET)
  29                /*
  30                 * Socket exists but user wanted ! --socket-exists.
  31                 * (Single ampersands intended.)
  32                 */
  33                return false;
  34
  35        filp = skb->sk->sk_socket->file;
  36        if (filp == NULL)
  37                return ((info->match ^ info->invert) &
  38                       (XT_OWNER_UID | XT_OWNER_GID)) == 0;
  39
  40        if (info->match & XT_OWNER_UID)
  41                if ((filp->f_cred->fsuid >= info->uid_min &&
  42                    filp->f_cred->fsuid <= info->uid_max) ^
  43                    !(info->invert & XT_OWNER_UID))
  44                        return false;
  45
  46        if (info->match & XT_OWNER_GID)
  47                if ((filp->f_cred->fsgid >= info->gid_min &&
  48                    filp->f_cred->fsgid <= info->gid_max) ^
  49                    !(info->invert & XT_OWNER_GID))
  50                        return false;
  51
  52        return true;
  53}
  54
  55static struct xt_match owner_mt_reg __read_mostly = {
  56        .name       = "owner",
  57        .revision   = 1,
  58        .family     = NFPROTO_UNSPEC,
  59        .match      = owner_mt,
  60        .matchsize  = sizeof(struct xt_owner_match_info),
  61        .hooks      = (1 << NF_INET_LOCAL_OUT) |
  62                      (1 << NF_INET_POST_ROUTING),
  63        .me         = THIS_MODULE,
  64};
  65
  66static int __init owner_mt_init(void)
  67{
  68        return xt_register_match(&owner_mt_reg);
  69}
  70
  71static void __exit owner_mt_exit(void)
  72{
  73        xt_unregister_match(&owner_mt_reg);
  74}
  75
  76module_init(owner_mt_init);
  77module_exit(owner_mt_exit);
  78MODULE_AUTHOR("Jan Engelhardt <jengelh@medozas.de>");
  79MODULE_DESCRIPTION("Xtables: socket owner matching");
  80MODULE_LICENSE("GPL");
  81MODULE_ALIAS("ipt_owner");
  82MODULE_ALIAS("ip6t_owner");
  83